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Abstract — We consider the problem of communicating infor- 
mation over a network secretly and reliably in the presence of a 
hidden adversary who can eavesdrop and inject malicious errors. 
We provide polynomial-time, rate-optimal distributed network 
codes for this scenario, improving on the rates achievable in |1|. 
Our main contribution shows that as long as the sum of the 
adversary's jamming rate Zo and his eavesdropping rate Zi 
is less than the network capacity C, (i.e., Zo + Zi < C), our 
codes can communicate (with vanishingly small error probability) 
a single bit correctly and without leaking any information to 
the adversary. We then use this to design codes that allow 
communication at the optimal source rate of C — Zo — Zj, while 
keeping the communicated message secret from the adversary. 
Interior nodes are oblivious to the presence of adversaries and 
perform random linear network coding; only the source and 
destination need to be tweaked. In proving our results we correct 
an error in prior work (U by a subset of the authors in this work. 

I. Introduction 

A source Alice wishes to transmit information to a receiver 
Bob over a network containing a malicious adversary Calvin. 
Such scenarios face at least two challenges - Calvin might 
eavesdrop on private communications, or he might disrupt 
communications by injecting fake information into the net- 
work. In the network coding model this second danger may 
be even more pronounced since all nodes, including honest 
ones, mix information. In this case, even a small number of 
fake packets injected by Calvin may end up corrupting all the 
information flowing in the network, causing decoding errors. 

In this work we consider the secrecy and error control 
issues together. Namely, we design schemes that allow reliable 
network communications in the presence of an adversary that 
can both jam and eavesdrop, without leaking information to 
him. In particular, suppose the network's min-cut from Alice 
to Bob is C, and Calvin eavesdrops on Zj links and corrupts 
Z linkffl We demonstrate schemes that are distributed, 
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We consider a model where network links rather than nodes are eaves- 
dropped and corrupted; eavesdropping on a node is equivalent to eavesdrop- 
ping on links incoming to it, and corrupting a node is equivalent to corrupting 
the links outgoing from it. 



computationally efficient to design and implement, and can be 
used to communicate a single bit secretly and without error. 
We then use this scheme as a tool to improve on prior work 0, 
and achieve a provably optimal rate of C — Zo — Zj. 

Related problems have been considered in the past. Prior 
results may be classified in the following three categories. 

For networks containing adversaries that only eavesdrop 
on some links (without jamming transmissions), the work 
of JU provided a tight information-theoretic characterization of 
the secrecy capacity, i.e., the optimal rate achievable without 
leaking any of Alice's information to Calvin. Efficient schemes 
achieving this performance were proposed by |]5j — El - Crypto- 
graphically (but not information-theoretically) secret schemes 
for this scenario were also considered in J8). 

For networks containing adversaries with unlimited eaves- 
dropping capabilities and limited jamming capabilities, prior 
related work has focused primarily on the detection of Byzan- 
tine errors (9), non-constructive bounds on the achievable zero- 
error rates iflOl . ifTTl . and network error-correcting codes |i2|| 
(which have high design complexity) and J2), ifPTl . Ifl4l 
(which have low design complexity). Results for this setting 
are also available under cryptographic assumptions lH5l . lfl6l . 

The scenario closest to the one considered in this work, 
with limitations on both Calvin's eavesdropping power Zj 
and his jamming power Zo, have been considered in 0~)-|[3], 
IfTTl . ifTHI . Under the requirement of zero error probability, 
the maximum rate of secret and reliable communication is 
given by C — 2Zo — Zj. Schemes achieving this rate have 
been proposed in 0~), lfl8l (high design complexity schemes) 
and flTl . Ifl9l . l20l (low design complexity schemes). The 
optimality of such a rate has been shown in JT] for single- 
letter coding and in l20l for block coding. 

If the requirement of zero error probability is relaxed to 
vanishingly small error probability, as considered here, then 
higher rates may be achieved. In particular, the work in Q 
provided computationally efficient communication schemes 
(but with no guarantees on secrecy) at rate C — Zo as long 
as the technical requirement C > 2Zo + Zi was satisfied. 
Work by a subset of the authors of this paper claimed in (2) 
to improve this technical requirement to C > Zo + Zt. As 
we demonstrate in Section IVIIII prior proof of the claim was 
incorrect, and Section [ID gives a correct proof of the claim. 
Combining these results with the secrecy scheme of Q allows 
us to obtain the optimal rate of C — Zo — Zi when secrecy 
constraints are incorporated. 



II. Main Results 
The main results of this work are Theorems Q] and [2] 

Theorem 1: If C > Zq — Zi then Alice can commu- 
nicate a single bit correctly to Bob (while keeping it se- 
cret from Calvin) using codes of computational complexity 
0(poly(C, log 2 q)) and error probability 0(q~ c ). 

Combining the codes in Theorem Q] with the "shared-secret" 
codes in J3] then gives us the following theorem. 

Theorem 2: No rate higher than C — Zo — Zi is achiev- 
able. A rate of C — Zo — Zi is achievable with codes of 
computational complexity 0(npoly(C, log 2 q)). 

Note: In (3, Ngai et al show that C — 2Z Q — Zj is an upper 
bound on the rate, assuming no error events, and single-letter 
coding (respectively equations (87) and (65) in their proof). 
Our work achieves higher rates by instead assuming asymp- 
totically negligible probability of error, and block coding. 

A. High-level overview of proofs and techniques 

We first show in Section [TV] that C — Zo — Zi is an upper 
bound on the rate at which a secret message can be correctly 
transmitted from Alice to Bob, by demonstrating an attack that 
Calvin can use to successfully disrupt communication if Alice 
tries to communicate at any higher rate. We then construct 
efficient codes that essentially achieve rate C — Zo — Zj. 
Our codes consist of the three layers described below. All the 
three layers are embedded along with Alice's message into 
her packets and then transmitted through the network using 
random linear network codes. 

Secret-sharing layer: In Section|VT]we first prove TheoremQ] 
by showing how to communicate a single bit secretly and 
correctly over a network containing adversaries that can jam 
and eavesdrop, as long as C > Zj + Zo- This layer is 
important for the error-control layer described later, and can be 
implemented via a "small" header appended to each network 
coded packet. When k secret bits are to be shared, the scheme 
is repeated k times in each transmitted packet header, for a 
secret-sharing header of total length C + kC(C — Z{). The 
secret-sharing layer consisting of the following components: 

1. Identity matrix: As standard in random linear network 
coding ||2T1 . ff3l . the identity matrix Ic is appended to convey 
to the receiver information about the linear transform induced 
by the random linear network code. 

2. Bit matrices: For each secret bit, i e {1, . . . , k}, if the ith 
secret bit equals 0, the (C — Zi) x C(C - Zi) matrix S i 
(over F g ) is chosen as a zero matrix; otherwise, S l is chosen 
independently and uniformly at random from all (C — Zi) x 
C(C — Zi) matrices. We refer to S' 1 as a bit matrix. The 
idea is that the rank of the matrices corresponding to bit is 
much smaller than the rank of the matrices corresponding to 
bit 1 — due to the limitation on the numbers of packets Calvin 
can observe or inject, with high probability he cannot change 
the rank of the corresponding received matrix by too much. 
Details are given in Lemma [3] 



'S.Random matrix: Alice adapts the scheme of Q to keep the 
bit matrices secret from Calvin. That is, for each secret bit i 
that Alice wishes to communicate to Bob, she combines the 
bit matrix S % with a random noise matrix N l (at rate Zi). 
It can be shown that it is impossible for Calvin to glean any 
useful information (since it can only eavesdrop at rate Zi). 

Section IVHI combines the secrecy layer with the two other 
layers described below to complete our code construction. 
Secrecy layer: As done with the random matrices N l in 
the secret-sharing layer above, a random matrix N is used 
to preserve the secrecy of the source message S (of rate 
C — Zo — Zi), yielding a encoded matrix M (of rate C — Zo). 
Error control layer: In this layer Alice uses the "shared- 
secret" scheme outlined in Theorem 1 of [3 J. That is, Alice 
first takes a secret linear hash to her secrecy-encoded message 
M to generate a small hash value. Both the linear hash and 
the resulting hash value (say k bits in all) are transmitted to 
Bob using the secret-sharing layer. Alice then combines her 
data with a zero-value matrix (of rate Zo), such that Bob can 
use the secret hash to distill Alice's codeword M from the 
corrupted information reaching the destination. 

Vis-a-vis our secret-sharing scheme of Section [VT] the work 
of J2| (by a subset of the authors of this work) claimed to have 
the same result. However, we show in Section IVIIII that the 
scheme proposed in (2J is incorrect by giving an attack that 
Calvin can use to ensure that Bob has a significant probability 
of decoding error. 

III. Network Model and Problem Statement 

We use the general model proposed in Q. To simplify 
notation we consider only the problem of communicating from 
a single source to a single destination^ 

A. Network Model 

Alice communicates to Bob over a network with an attacker 
(adversary) Calvin hidden somewhere in it. Calvin aims to 
disrupt the transfer of information from Alice to Bob and in 
the meantime eavesdrop the information Alice sends. He can 
observe some of the transmissions, and can inject his own fake 
transmissions. 

Calvin is computationally unbounded, knows the encoding 
and decoding schemes of Alice and Bob, and the network 
code implemented by the interior nodes. He also knows the 
network topology, and he gets to choose which network links 
to eavesdrop on and which ones to corrupt. 

The network is modeled as a directed and delay-free graph 
whose edges each have capacity equal to one symbol of a 
finite field of size q, ¥ q , per unit tim^H All computations are 
over F g . The network capacity, denoted by C, is the min-cut 
from source to destination^ 

Similarly to many network coding algorithms, our techniques generalize 
to multicast problems. 

3 For ease of presentation edges with non-unit capacities are not considered 
here (as in (5), they may be modeled via block coding and parallel edges). 

4 For the corresponding multicast case, C is defined as the minimum of 
the min-cuts over all destinations. It is well-known that C also equals the 
time-average of the maximum number of packets that can be delivered from 
Alice to Bob, assuming no adversarial interference, i.e., the max flow. 



Each packet contains n symbols from ¥ q . Alice's message 
is denoted S G S. To send this to Bob over the network, Alice 
encodes it into a matrix X G ¥^ n , possibly using a stochastic 
encode^. The i th row in X is Alice's i th packet. As in |2T1 . 
Alice and internal nodes in take random linear combinations 
of their observed packets to generate their transmitted packets. 

Analogously to how Alice generates X, Bob organizes 
received packets into a matrix Y. The i th received packet 
corresponds to the i th row of Y. The random linear network 
code used by Alice and all internal nodes induces a linear 
transform A from X to Y, such that Y — AX when no 
error is induced by the adversar>@. Thus Y is a matrix in 
F^ x ™, and A G ¥^ xC . Hereafter we assume that the matrix 
A is invertible, which happens with high probability if q is 
sufficiently large ET1 . 

Calvin can eavesdrop on Zj edges, and can inject (possibly 
fake) information at Zq locations^, in the network. The 
matrix received by Bob is then Y = AX + Z, where Z 
corresponds to the information injected by Calvin as seen by 
Bob. Note that the limitation of Calvin's jamming capacity 
implies that rank(Z) < Zo- Similarly, Calvin's observation 
can be described as a matrix W = BX, where B G W^' xC 
is the linear transform undertaken by X as seen by Calvin. 

B. Problem Statement 

Alice wishes to communicate with Bob with perfect secrecy 
and vanishingly small error probability. That is, Alice's scheme 
is perfectly secret if 

I(S;W)=0 VB G Wq' xC (1) 

i.e., Calvin obtains no information about Alice's message. The 
error probability is the probability that Bob's reconstruction 
S of Alice's information S is inaccurate, i.e., P[S ^ S]. 
We consider the error probability of the worst-case scenarioj. 
Namely, a scheme has error probability less than e if P[S ^ 
S] < e MA, Z, where A is assumed to be nonsingular, and 
rank(Z) < Zo- The rate R of a scheme is the number 
of information bits of information Alice transmits to Bob, 
amortized by the size of a packet in bits, i.e., R = ^ log^ |<S|. 
The rate R is said to be achievable if for any e > 0, any 
5 > 0, and sufficiently large n, there exists a perfectly secret 
block-length-?! network code with rate at least R — 5 and a 
probability of error less than e. 

IV. Converse for Theorem |2] 

We start by presenting an attack that Calvin may use to 
force the achievable rate to at most C — Zo — Zj, thereby 

5 The random coin tosses made by Alice as part of her encoding scheme 
are not known to either Calvin or Bob. 

6 For the ease of notation we assume Bob removes redundant incoming 
edges so that the number of edges reaching Bob equals the min-cut capacity 
C from Alice to Bob. 

7 We assume throughout that the information injected into the network by 
Calvin is added to the original information transmitted (here we consider 
addition over our field ¥ q ). 

8 Our interest is to design communication schemes that do not rely on the 
specific network topology or network code used. 



TABLE I 

Summary of commonly used notation 



Notation 


Meaning 


C 


Capacity 


Zi 


Eavesdropping rate 


Zo 


Jamming rate 


n 


Packet length 


q 


Field size 


Q = q u 


Extension field size 



demonstrating that this is indeed an upper bound on the 
achievable rate. Let {ei, e2, ec} be a set of edges that 
form a cut from Alice to Bob. Calvin jams the edges in 
{ei, e2, e Zo } by adding random errors on them. Further, 
Calvin eavesdrops on edges in {e Zo +i, ez +2, — , e Zo+Zl }. 
Let X be the random variable denoting Alice's information. 
Let Yj, Y e , and Y u be the random variables denoting the 
packets carried by the jammed edges {ei, €2, e Zo }, eaves- 
dropped edges {ez +i,ez +2,—,e Zo +z I }, and untouched 
edges {e Zo+Zl +i,e Zo+Zl+2 , -,e c } respectively. Let Y be 
the random variable denoting the packets received by Bob. 
Then 
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(- enR 


+ 7(X;Y ej Y„) 
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(- enR 
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(- enR 


+ H(Y U ) 
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n 


(C- 


Zi - Z )+eR+- 
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(9) 



Here (f2]i follows from the fact that Alice's message is uni- 
formly distributed over X, (O from Fano's inequality, (01 from 
the data processing inequality, (|5]l since Calvin adds random 
noise on the edges he jams and so Yj is independent of 
(X, Y e ,Y„), (O by the chain rule for mutual information, 
(0 from the fact that information-theoretic secrecy is required 
and so 7(X; Y e ) = 0, (O by the fact that conditioning reduces 
entropy and the definition of mutual information, and finally 
(0 by the fact that there are at most C — Zj — Zo links 
corresponding to the random variable Y u and the alphabet- 
size upper bound on entropy. Requiring e — > as n — > oo 
gives the required result. 

V. Auxiliary Tools 

A. Secrecy Coding 

Consider a special case of the problem where Calvin can 
eavesdrop Zj < C packets but cannot jam any packets 
(Zo = 0). Below, we review a construction of a perfectly 
secret scheme that asymptotically achieves the maximum 
possible rate (i.e., the secrecy capacity) R = C — Zj. The 
scheme, proposed in (i7|, is based on MRD codes. (For more 
details on MRD codes, see Q.) 



Let Q 
Let (j) : Fq 
addition, let 



q c and let Fq be an extension field of ¥ q . 
Fq XC be a vector space isomorphism. In 
„ : F™ x ™ -4 F™ xC " be a vector space 
isomorphism such that the ith row of (j) m ^ n (X) is given by 
\6{Xi t i) ■■■ <f>(Xi tn )\ . In other words, we expand each 
element ofXeFg X ™asa length-C row vector over F g (with 
the number of columns in matrix increasing accordingly). We 
will omit the subscript from </>„,.„ when the dimensions of the 
argument are clear from the context. 

Let H G w { q~ Zi)xC be the parity-check matrix of a [C, Zj\ 
linear MRD code over Fq. Let T G Fg X<7 be an invertible 
matrix chosen such that the first C — Zj rows of T~ x are equal 
to H. Assume that n is divisible by C and let n' — n/C — 1. 
In order to encode a given message S G w ( °- Zl)xn \ Alice 

first generates a random matrix N G ¥q' xu uniformly and 
independently from any other variables. Then, she computes 

X = [I c <f>(x)] , where x = T ' 



After receiving Y = AX = A A(f)(x)\, Bob computes 
X = A~^^Y to recover x = 4>~ 1 (4>(x)). Then, Bob can easily 
obtain S since, by construction, S = Hx. 

Recall that Calvin's observation is given by W = BX, 
where B G ¥^' xC . According to Theorem 4 of Q, we have 
that I(S] W) = for all B, and therefore (|TJ is satisfied. 
Thus, the scheme is indeed perfectly secret. 

The decoding complexity is given by 0(nC 2 ) operations in 
Fq, which can be done in 0(nC A ) operations in ¥ q . 

B. Error Control under a Shared Secret Model 

Consider now the case where Calvin can jam Zo < C 
packets and eavesdrop any number of packets he choose. 
However, we drop the requirement of secret communication, 
i.e., all we require is that Bob can decode correctly. In addition, 
suppose the existence of a low rate side channel, which Calvin 
cannot access, that enables Alice to transmit to Bob a small 
secret §. Below, we review a coding scheme presented in |3 | 
that can asymptotically achieve the maximum possible rate 
R = C — Zq. 

Let b = C — Zq- We first describe how Alice produces the 



bx (n— 6) 



secret bit string § based on a given message M G * q 
begin with, she generates a = bC + 1 symbols p\ , pi , . 



To 



,Pa G 



first b columns of A. Let Y be the reduced row echelon form of 
Y . It is shown in [3) that, with probability at least 1 — 0(1 /q) 
for any fixed network, X can be written as X — UY for 
some U G ¥ b q xC . It is also shown in [3) that, with probability 
at least l~n a /q, the system UYP = FJ has a unique solution 
in U. Bob solves this system to find U, computes X = UY 
and finally recovers M. 

Overall, the probability of error of the scheme is at most 
n a /q + 0(1/ q) = 0(n c /q), while the decoding complexity 
is 0(nC 3 ) operations in ¥ q . 

VI. Sending a Single Bit Secretly and Reliably 

Let C = C — Zj, In this section, we show how Alice can 
transmit a secret bit reliably to Bob when C > Z] + Zq- We 
assume that n = C(l + C), as this is the smallest packet 
length required for the scheme to work. Larger packet lengths 
can be easily handled by zero-padding the transmitted packets. 

Let T G Fg XC and H G ¥q' xC be as given in Section ES 

A. Alice's encoder 

Initially, Alice chooses a matrix S G Fg xC according 
to her secret bit: if the bit is 1, she picks S uniformly at 
random; otherwise, if the bit is 0, she sets S = 0. Then, 
she sends S to Bob using the secrecy scheme described in 
Section IV-AI More precisely, she transmits X = [ic &(%)], 



where x = T 
matrix chosen independently from S 



and N G F^ xC is a uniformly random 



B. Bob's decoder 

Recall that Bob receives a matrix Y 



AX + Z, where 



A G F 



CxC 



,CxC(l+C") 



has rank 



independently and uniformly at random. Let P G F^ XQ y ^^8xc' suc jj 



be the matrix given by Pu j) = (Pj) 1 - Then, she computes 
a matrix FJ = XP G F^ xa , where X = [l b M]. The 
tuple (pi, p2, p a , H), consisting in total of a(b+l) symbols 
in F g , comprises the message "hash" that should be secretly 
transmitted to Bob. The bit representation of this tuple yields 
the string § G {0,l} fc , consisting of k = a(b + l)\og 2 q 
bits. Over the main channel, Alice transmits the C x n matrix 



is nonsingular and Z G ¥ q 
at most Zo- Let Y denote the reduced row echelon form of 
Y. Consider first the case where Y = [I 4>(r)\, for some 
r G Fg XC ". It is possible to show that Hr — S + E, where 
E G Fg xC is a matrix of rank at most Z - As will be 
shown later, with high probability, Hr is full-rank if and only 
if Alice's secret bit is 1. Thus, Bob can decode by computing 
the rank of Hr. 

In general, however, Y may not have the form described 
above. Nevertheless, as shown in lfl3l . ifTTl . it is possible to 
extract from Y some matrices r G Fg XC , L G Fj^^ and 



r = x + LV 1 



L 2 V 



for some V 1 G 

F exC' 

Q 



Tl j,xC' 
Q 



L 2 G ¥^ xS , 



f L 3 V 3 
L 3 G 



WCxe 

q 



and V 3 G 



X = 



h 




M 




Assuming that (p%,p2, • • ■ , p Q , FJ) is secretly and correctly 
received by Bob, let us proceed to the description of Bob's 
decoder. First, Bob reconstructs the matrix P. Bob obtains 
Y = AX + Z, where Z G F^ Xn has rank at most Z . This 
can also be written as Y = AX + Z, where A consists of the 



Moreover, it is shown in [17] that p, S < Zo and 

e < Zo — max{/i, S}. 

Note that e < C - max{/z, 6}, since Z < C. 

In possession of r, L and V, Bob is now ready to decode 
the secrecy layer that has been applied to x. 

We have 



Hr = Hx + HLV 1 + HL 2 V + 
= S + AV 1 +A 2 V + A 3 V 3 



HL 3 V 3 



(10) 



where A = HL, A 2 = HL 2 and A a = HL 3 . Note that A e 

awn. 

and K £ ¥)■ 



Similarly, let Hq £ Fg Xb be the parity-check matrix of a 
[b,Zi] linear MRD code over Fq, and let T £ ¥ bxh be an 
invertible matrix such that the first R rows of T ~ are equal 
to H . 



F$!' XA1 and V £ Fi xC are known 



Now, let J £ 



Q 



be full- 



rank matrices such that J A = and VK = 0. Then Bob can 
further simplify ( fTOb by computing 



A. Alice's encoder 

First, given a message S £ F 



T 



where iV £ F 



Jtfr.fr = JSK + JA 6 V 3 K. 

Note that rank (JA 3 ^ 3 AT) < e < C - max{/i, (5}. 

Thus, Bob performs the following test. If JHrK is full- 
rank, then Bob concludes that bit 1 was sent; otherwise, Bob 
concludes that bit was sent. 

With respect to complexity, computing Y takes 0(C 2 n) = 
0(C 4 ) operations in ¥ q . Computing J, K, JHrK and the 
rank of JHrK each take 0(C 3 ) operations in Fq, which 

amounts to 0(C 5 ) in ¥ q . Thus, the overall decoding com- she com P utes :r ' = T 



Rxn' 
Q ' 



Alice computes 



ZjXn' 



q is chosen independently 

and uniformly at random. Then, she sets M = 4>(x) and 
generates a string 8 £ {0, l} fc of k bits according to the 
scheme described in Section IV-BI Next, for each ith bit of 
§, Alice produces a matrix S 1 £ Fq xC according to the 
scheme described in Section IVTl Then, for each i = 1, . . . , k, 

where each N' 



plexity is 0(C ) operations in ¥ q . 

C. Probability of error analysis 

When bit is sent, Bob never makes an error; he makes 
an error if and only if bit 1 is sent and JHrK is not 
full-rank. Recall that, when bit 1 is sent, S is uniformly 
distributed over Fg xC . Due to the secrecy encoding, Calvin 
has no information about S, and therefore S is statistically 
independent from A 3 V 3 . It follows that S' = S + A 3 V 3 is 
also uniformly distributed over Fq xC . Thus, the probability 
of error when bit 1 is sent is equal to the probability that 



JS'K £ F 



{C'-n)x(C'-S) 

Q 



is not full-rank for a uniform S" 



Lemma 3: If S' £ Fq xC is uniformly distributed then, 
for any J £ ¥ < q ~^ xC and any K £ Fq x ^ C ~ S \ the matrix 
JS'K is full-rank with probability at least 1 - C /Q. 

Proof: Without loss of generality, assume /i > 8. It 
suffices to prove the statement for \i = 8; if fj, > 5, then 
removing [i — 8 columns from K cannot possibly increase the 
rank of JS'K. 

For any fixed J and K, consider the entries of S' as 
variables taking values in Fq. Then each entry of JS'K is 
a multivariate polynomial over Fq with degree at most 1. It 
follows that dct( JS'K) is a multivariate polynomial over Fq 
with degree at most C — /i < C . Note that, if Q < C, 
the statement follows trivially, so assume Q > C, From 12T1 
Lemma 4], we have that P[dct(JS'K) = 0] < C'/Q. ■ 

Thus, the probability of error of the scheme is upper 
bounded by C'/Q < C/q , which can be made arbitrarily 
small by choosing q sufficiently large. This proves TheoremQ] 

VII. ACHIEVABILITY FOR THEOREmE] 

We now describe a coding scheme that achieves rate R = 
C — Zj — Zo asymptotically in the packet length n. 

As before, assume that n is divisible by C and let n' = 

n/C - (1 + kC), where k = (bC + 1)(6 + 1) log 2 q. 



Let H £ 



7 C'xC 



be the parity-check matrix of a [C, Z{\ 



linear MRD code over Fq. Let T £ Fq XC be an invertible 
matrix such that the first C — Zi rows of T" 1 are equal to H. 



N' 



£ ¥n lXC ' is 



chosen uniformly at random and independently from any other 
variables. Finally, she produces a transmission matrix 



X = 



It. 



B. Bob's decoder 



For each i = 1, . . . , k, Bob extracts a submatrix Y % from 
Y corresponding to the submatrix \lc <P( xl )] from X (i.e., 
columns 1, . . . , C, C + (i - l)C + 1, . . . , C + iC). He then 
applies on Y l the decoder described in Section [VT] to obtain 
each ith bit of §. 

Similarly, Bob extracts a submatrix Y° consisting of the first 
b and the last n'C rows of Y. Note that Y° = AX° + Z°, 
lib Ml 



where X° = 





Then, 







jCx(Hn'C) 

- q 



and Z° has rank 



at most Zo 

Section IV-Bl to obtain M. 
Finally, Bob computes x 



Bob applies the decoder described in 
~ 1 (M) and S = H x. 



C. Overall Analysis 

1) Secrecy analysis: The secrecy of the message is guar- 
anteed by the scheme of Section IV-AI 

2) Error probability analysis: By the union bound, the 
probability that Bob makes an error when decoding the k- 
bit secret § is at most kC/q c < C 4 (log 2 q)/q c = 0(^r-). 
Given that the secret is decoded correctly, the probability that 
Bob makes an error when decoding the message is at most 
0(n c ~ jq). Thus, the overall probability of error is at most 
0(n c2 /q). 

3) Rate analysis: The rate of the scheme is given by 
Rn'C/n = R(l - (1 + kC")C/n) < R - i?C 5 (log 2 q)/n. 
Thus, the rate loss is 0( q ). 

4) Complexity analysis: Decoding all the secret bits takes 
0(kC 5 ) = 0(C 8 log 2 q) operations in F 9 , while decoding 
the message is dominated by the secrecy decoding step with 
0{C A n) operations in ¥ q . 

Note: Both the rate loss and the error probability can be 
made asymptotically small by choosing q to grow faster than 
polynomially but slower than exponentially in n. For instance, 
we may choose q = 2 . 



VIII. Errata for J2) 

We briefly reprise the scheme of Q before demonstrating 
the flaw in the proof. In what follows, all operations are over 
F,. 

In the scheme of (2) there exist two hash matrices Dq and 
Di which are chosen independently and uniformly at random 
C 2 (C — Zq) x C 2 Vandermonde matrices, i.e., each column 
of D and D x is of the form h(u) = [u, u 2 , U c2( - C ~ Z °' ) ] T ', 
where the generator u is chosen independently and uniformly 
at random from ¥ q . Both Do and D\ are publicly known to 
all parties, including Bob and Calvin. 

Alice's Encoder: Alice first chooses a random length- 
(C 2 (C-Z )-C 2 ) row vector u. Let I E {0, 1} be the secret 
bit that Alice wishes to send to Bob. Alice then constructs the 
length- 1 x C 2 row vector r such that [u, r]Dj = 0. Note 
that such r exists since the last C 2 rows of Dj form an 
invertible matrix. Finally the vector [u, r] is rearranged into 
a (C — Zq) x C 2 matrix which is sent through the network 
via random linear network coding. 

Bob's Decoder: After receiving the C x C 2 matrix Y, 
for each / e {0, 1} Bob check whether there exists 
C — Zo length-C vectors {xj,i E [1,C — Zo]} such that 
[xiY, X2F, xc_z o y]D.r = 0. If so, Bob decodes the 
secret bit as /. The idea is that if / is Alice's bit, such 
{xj, i € [1, C — Zo}} exists for Dj with high probability 0. 

Calvin's successful attack: When Calvin corrupts Zo > 
C—Zo edges, Calvin could mimic Alice's behaviour when she 
wishes to transmit a particular bit, say 1. As a result Bob would 
always find length-C row vectors {xj, i E [1, C — Zo]} such 
that [xiY, X2F, ...,x.c-z Y]Di = 0. In this case Bob cannot 
determine whether the bit 1 is from Alice or from Calvin. 

Even if Calvin can only inject Zo < C — Zo errors, if Zo + 
Zr > C — Zo, there is another successful attack for Calvin. 
To see that, without loss of generality let Zq + Zj = C — Zo- 
Since Calvin can eavesdrop on Zi packets {y,,J <E 
he can carefully choose his Zo injected error packets {zj, i E 
[1,Z ]} so that [yi, ...,y Z/ ,zi, ...,z Zo ]L»i =0. In this case, 
Bob also always decodes its bit as 1, Thus the scheme in J2) 
only works for the case where C > 2Zo + Zj, which does 
not improve the result in 0. 

Why our scheme works: In our scheme Section [VTl instead 
of distinguishing the bit by the hash matrices, Alice hides her 
secret in the rank of the bit matrix she transmits. In particular, 
there is a rank gap C — Zj between the bit matrix for bit and 
the one for bit 1. Thus as long as C — Z[ > Zo, Calvin cannot 
mimic Alice any more, since he can only inject Zo errors. As 
a result Bob can determine Alice's bit by examining the rank 
of the matrix he decodes. 

IX. Conclusion 

In this work we considered the problem of communicating 
information secretly and reliably over a network containing 
a malicious eavesdropping and jamming adversary. Under 
the assumptions that vanishingly small probabilities of error 
and block coding are allowed, we substantially improve on 
the best achievable rates in prior work JT), and also prove 



the optimality of our achievable rates. A key component of 
our code design is a scheme that allows a small amount 
of information to be transmitted secretly and reliably over 
the network, as long as the total number of packets that 
the adversary can either eavesdrop on or jam is less than 
the communication capacity of the network. In proving this 
scheme we correct an error in the proof of prior work by 
a subset of the authors of this work. 
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